Additional Topics

This chapter provides additional information that is useful for understanding and administering the DirX Identity system.

This information is especially useful when some steps fail during the configuration. Check the log file to find out which part(s) did not run. Correct the error and start the configurator again. You may only select those steps that did not finish successful.

Disk Space Calculation

To calculate the required disk space you will need for a DirX Identity installation, you should take several issues into account:

The space for DirX Identity.(See the section "Disk Space Requirements" in the chapter "Introduction".)
Running auditing requires additional disk space.
The space needed for the work and status areas where DirX Identity stores its temporary and permanent files.

The next sections discuss disk space requirements for auditing and DirX Identity working and status files and areas.

Space for Auditing

The required space for auditing depends on these issues:

Remove regularly auditing information from this area. Either import it into a database or store it on backup devices.
Audit only the absolutely necessary objects in your Identity Store.
Configure only the absolutely necessary attributes for these objects.
Check whether you really need signed audit records. If you keep the audit area secure, this is not always necessary. Signed records require about double the space for auditing and slow down performance of real-time workflows considerably.

We recommend reserving enough space for auditing. Additionally, we recommend writing audit information to a separate disk to prevent influence on the server operation.

Space for Work and Status Areas

This issue can only be estimated and depends highly on several issues:

The files you have configured to be stored in the status area (by default, all files are stored).
The amount of data (number and size of entries) to be synchronized.
The frequency of your scheduled workflows, the configured status expiration time and the status compression mode.

Because it is easy to fill your disk with status information, DirX Identity is designed to ignore a full disk in that area, but DirX Identity is not able to handle this problem for the work area.

Therefore, we strongly recommend following these guidelines:

Keep the work area and the status area on different disks.
Mark only important files to be stored automatically in the status area (for example trace and report files but not data files with a huge amount of data).You can of course activate more files during a test phase, but do not forget to deactivate it at the end.
Set individual status expiration times for each workflow.This helps to not overcrowd the directory with status entries.We recommend setting one month when the workflow runs every week, one week when it runs daily and one day when it runs every 10 minutes.
Set individual status expiration times for all Java-based Identity Servers.

This all should help to make your system more reliable and to restrict the use of resources.

Schema and Content Handling

During configuration, DirX Identity prepares the LDAP directory according to the requirements of DirX Identity.It extends the LDAP directory schema for the Connectivity Configuration tree and imports the basic content into that tree that contains the DirX Identity Default Applications.

To run workflows, specific object classes and attributes for each agent type are needed to work correctly.You must extend the schema for the joined data in the Identity Store with the agent specific schema parts.

The next sections describe these procedures in more detail.

Setup of the Schema for the Connectivity Configuration

DirX Identity extends the schema of the defined LDAP directory with the object and attribute definitions needed for the DirX Identity Connectivity Configuration to permit correct DirX Identity operation.

Basic Content Extension

In this step, DirX Identity writes all pre-configured objects (workflow, activity, job, connected directory definitions and much more) from LDIF files to the LDAP directory. Based on this information, the DirX Identity administrator can configure his own objects and synchronizations with the powerful features of DirX Identity.

Target System Specific Schema Extensions

To set up the Identity Store schema depending on the type of target systems you’d like to provision is a task that should be thoroughly planned. You should only set up the required object classes and attributes to guarantee high performance and easy handling.

DirX Identity automatically extends the schema if you have selected the Sample Domain. A minimal set of attributes and object classes is defined for all target systems that require LDAP schema extensions. Note that not all target systems require schema changes. Using additional attributes in the Sample Domain requires a manual additional schema extension. Use the methods for customer domain schema extensions that are described in the next sections.

For customer domain schema extension, DirX Identity comes with several complete sets of attribute and object class extensions for each supported target system type. To perform the schema extension, perform these steps:

We strongly recommend backing up your directory before you run any scripts! You cannot reverse schema extensions in a directory.
1. Open the directory install_path/schema/tools
2. Open the sub directory for your directory type: dirx-ee for DirX installation
3. Copy the entire Customer Domain subdirectory and name it Customer Domain.orig.
4. Update the schema definitions in the Customer Domain subdirectory according to your requirements.
  
  The following steps need to be performed:
  
  Directory type dirx-ee (used for DirX V8.3 or higher):
  
  Select the LDIF file of your DirX Identity Connectivity package in the subdirectory ldif; for example, dirx.nt.ldif.
  
  Drop all the attributes in which you are not interested by removing the appropriate "MODIFY" records that refer to "attributeTypes" creations.
  
  Remove the attributes from the object class definitions by dropping the appropriate LDAP attribute names from the "MODIFY" records that refer to "objectClasses" creations.
  
  If indexes were defined for the attributes, drop the attribute types from the "dbconfig_opt" statements in the dirxadm script of your DirX Identity Connectivity package; for example, DirXmetahub-schema.Nt.adm (for NT)
1. Run the script agent-schema.bat (on Windows) or agent-schema.sh (on Linux) under schema/tools
Type the password of the DirX Identity administrator admin
Select the DirX Identity Connectivity package to install this part of the schema extension. (Each package has to be selected separately.)
Select whether to create the attribute indexes

The schema extensions are installed now. Check the trace.txt file at the end for errors (the exit codes at the end should be 0).

Indexed Attributes

DirX Identity requires a set of indexes. The minimum number of indexes is 84, the maximum number of indexes is 137 (all target system schema extensions performed).

This information is especially important to set up DirX correctly.

DirX Identity Connectivity Configuration (17 attribute indexes)

dxmActive
dxmActivityStatusData-DN
dxmC
dxmDisplayName
dxmEndTime
dxmExitCode
dxmExpirationTime
dxmName
dxmOkStatus
dxmOrigWorkflow-DN
dxmResult
dxmScheduleName
dxmStartTime
dxmStatusExpirationTime
dxmType
dxmWarningStatus
dxmWorkflowInstID

DirX Identity Provisioning Configuration Extensions (67 attribute indexes)

dxmOprEventDivision
dxmOprMaster
dxmOprOriginator
dxmOprTriggerOrigin
dxmPwdLastChange
dxrAccessRightLink
dxrApproverLink
dxrApproverPotentialLink
dxrAssignedAccounts
dxrAssignedGroups
dxrAssignFrom
dxrAssignTo
dxrAssignmentLink
dxrCurrentParticipants
dxrDeleteDate
dxrDisableStartDate
dxrDisableEndDate
dxrEndDate
dxrErrorExpDate
dxrError
dxrExpirationDate
dxrGroupLink
dxrGroupMemberAdd
dxrGroupMemberDelete
dxrGroupMemberIgnore
dxrGroupMemberImported
dxrGroupMemberOK
dxrInheritedPrivilegeLink
dxrInheritedUserFacetPrivilegeLink
dxrIsActive
dxrIsExtensionGroup
dxrIsInconsistent
dxrName
dxrNeedsApproval
dxrNextApprovalDate
dxrObjectComplete
dxrObjectType
dxrOperationImp
dxrPeerTS
dxrPermissionLink
dxrPrimaryKey
dxrPrivilegeLink
dxrPrivilegesGrantedLink
dxrPwdChangedTime
dxrPwdChangeState
dxrReference
dxrResourceGroupLink
dxrResourceLink
dxrRoleID
dxrRoleLink
dxrRPvalues
dxrStartDate
dxrState
dxrSubjectLink
dxrSubjectGroupLink
dxrTBA
dxrToDo
dxrToPeer
dxrTSState
dxrTSStateExtended
dxrType
dxrUID
dxrUsedBy
dxrUserAssignementPossible
dxrUserLink
employeeNumber
uniqueMember

DirX Identity Connectivity Package Schema Extensions (18 attribute indexes)

If you install the sample domain, you need 18 additional indexes.

A) ADS: (7)

dxmADsComputerName
dxmADsDNSdomainName
dxmADsDomain
dxmADsForest
dxmADsGuid
dxmADsSamAccountName

B) Exchange 5.5: (2)

dxmEXcn
dxmEXrfc822Mailbox

C) Notes: (4)

dxmLNfullName
dxmLNlistName
dxmLNnoteID
dxmLNshortName

D) ODBC: (4)

dxmODBCdatabaseName
dxmODBCdatabaseType
dxmODBCfirstName
dxmODBClastName

E) SAP/R3-UM: (1)

sapUsername

DirX Identity Agent Schema Extensions for a Customer Domain (52 attribute indexes max)

For each Connectivity Package schema extension, you need the corresponding number of indexes. This list shows the maximum number delivered with each default set. If you extended the schema with fewer attributes, the number of indexes is lower.

A) ADS: (6)

dxmADsComputerName
dxmADsDNSdomainName
dxmADsDomain
dxmADsForest
dxmADsGuid
dxmADsSamAccountName

B) Exchange: (8)

dxmEXcn
dxmEXdescription
dxmEXemployeeNumber
dxmEXgivenName
dxmEXname
dxmEXrdn
dxmEXrfc822Mailbox
dxmEXsn

C) HDMS: (11)

dxmHDbuilding
dxmHDchristianName
dxmHDcompany
dxmHDcountry
dxmHDdmsid
dxmHDlocation
dxmHDname
dxmHDorg1
dxmHDorg2
dxmHDorg3
dxmHDsortName

D) Notes: (10)

dxmLNcomment
dxmLNemployeeID
dxmLNfirstName
dxmLNfullName
dxmLNinternetAddress
dxmLNlastName
dxmLNlistDescription
dxmLNlistName
dxmLNnoteID
dxmLNshortName

E) ODBC: (4)

dxmODBCdatabaseName
dxmODBCdatabaseType
dxmODBCfirstName
dxmODBClastName

F) SAPR3/HR: (4)

dxmSAPR3HRcommonName
dxmSAPR3HRgivenName
dxmSAPR3HrpersonnelNumber
dxmSAPR3HRsurName

G) SAP/R3-UM: (1)

sapUsername